This blog is centered around work on the topics binary analysis and reverse engineering on x86 / x64, with a special focus on Windows. There might be something about malware analysis here and there, too.

Saturday, January 5, 2013

IDAscope progress

Originally, I only wanted to give a short update on the stuff I did to IDAscope at the very end of the 29c3 post... Apparently I created enough content to let this be a post of its own.

So now I want to cover up the recent activities around IDAscope from the last month or so. I'm currently working
on graphing stuff, as some of you might have seen on Twitter already but
I will cover this in an extra post and full detail when it has reached a
presentable (release-worthy, that is) state.

Late November I had some free time to push IDAscope a bit forward. As can be seen from the commit history, most changes were bugfixes, covering:

Update to renaming wrappers (thanks Branko).

A small bugfix for xrange() beyond 0xFFFFFFFF.

The usage of the results generated by Tarjan's algorithm for finding strongly connected components was implemented incorrectly and would not cover basic blocks in nested or non-trivial loops.

The Counting of semantic API hits in FunctionInspection was incorrect under certain circumstances.

IDAscope can now properly used as an IDA plugin. It can be dropped into the plugins folder, allows autostarting with the loading of a new binary and can be started via IDA's Menu.

Config file format was changed from JSON to Python for easier parsing and the ability to comment entries within the file.

Semantic tags can now be grouped within the definitions file.

Entries in FunctionInspection widget can now be shown as groups and filtered customly.

Filtering looks like this:

Probably more interesting is the visual feature I am working on.

Graphing Function Relationship

My
current progress on graphing includes being able to extract the
structure of arbitrary functions and their referenced children from IDA
and generating a graph layout based on this information. However, nodes
can still be moved freely around once the calculated layout has been
"unlocked". Incoming and outgoing references are coloured green/red to
improve the navigation. API calls are not shown but shall be nested
within the display of their respective calling function (red box to
expand and show these API calls). The graph can be dragged around,
navigated with keyboard and seamlessly zoomed in and out.
At the moment, it looks like this:

Before
I actually fill this with more functionality such as actions upon
clicks (move to function, rename function, displaying API calls within
function, optional colouring, you name it, ...) I have to solve other,
more essential issues. :)

When displaying graphs of
functions with a lot of children, I run into the same issues as you all
experienced with the WinGraph overviews:

You
don't really get the structure any longer and everything becomes
unreadable. However, having this window open besides your one function view already is a benefit, I guess. Furthermore, removing API calls from the set of nodes being graphed improved the situation a bit as well but I am not satisfied yet.

A
property of these large graphs is that their aspect ratio is massively
out of order, they are much wider than high. This can likely be fixed by
patching the graph layout algorithm I am currently using. Again, thanks
to bdcht for providing his lib grandalf!

While relationship between functions is probably easier to grasp in my graphs already...

...
I want to work towards something that is really helpful for browsing
functions and recognizing patterns among their relationship.

Right now it's too "alpha" to show around some code already but please contact me if you have ideas you want to see embedded into this or see potential for improvement!

We'll see where I end up with this.
Make sure to check out the repository from time to time to keep up with the additions and improvements. Larger releases are announced here in the blog, shorter ones on Twitter.